Cross-site Scripting (XSS) - Generic in bigbluebutton/bigbluebutton

Valid

Reported on

Dec 9th 2021

Description

Shared notes panel is vulnerable to XSS when rendering a new note, due to missing username sanitization.

Proof of Concept

1.Start a new web conference and share the link with other people
2.A malicious user joins the conference with the following username: <img%20src=#%20onerror=alert(document.cookie)>
3.As soon as the malicious user types on the "Shared notes" section (and the victim has the "Shared notes" section open) an alert popup is shown on the target user (in this case showing the document.cookie value ).

Impact

XSS vulnerabilities allow attackers to inject arbitrary javascript code to other users browser, leading to stealing user session cookies, defacing website, performing phishing and many others attacks.

Mitigation

User inputs should be always sanitized against such attacks to prevent attackers injecting malicious code. Is also important to perform output encoding in order to prevent unwanted code execution.

Occurrences

component.jsx L1-L142

References

We are processing your report and will contact the bigbluebutton team within 24 hours. a year ago

We have contacted a member of the bigbluebutton team and are waiting to hear back a year ago

We have sent a follow up to the bigbluebutton team. We will try again in 7 days. a year ago

Anton Georgiev validated this vulnerability a year ago

lfama has been awarded the disclosure bounty

The fix bounty is now up for grabs

Anton Georgiev

commented a year ago

Maintainer

The "fix" has been to switch the fork where we pull a plugin from. This "fix" has been released with versions 2.3.17 and 2.4.0 and I'd rather wait a day or so before confirming it fully resolved. It's not a glorious fix, it's a packaging change.

lfama

commented a year ago

Researcher

Hi Anton,

thank you for the update. I've just verified that the issue has been resolved in the new release and the XSS payload is not triggered anymore. Could you please confirm the report as resolved?

Thanks! Luca

lfama

commented a year ago

Researcher

Hi Anton,

any update?

Thanks! Luca

Anton Georgiev marked this as fixed in 2.4.0 with commit 62040b a year ago

The fix bounty has been dropped

This vulnerability will not receive a CVE

component.jsx#L1-L142 has been validated

to join this conversation

We are processing your report and will contact the bigbluebutton team within 24 hours. a year ago

We have contacted a member of the bigbluebutton team and are waiting to hear back a year ago

We have sent a follow up to the bigbluebutton team. We will try again in 7 days. a year ago

Anton Georgiev validated this vulnerability a year ago

lfama has been awarded the disclosure bounty

The fix bounty is now up for grabs

Anton Georgiev

commented a year ago

Maintainer

lfama

commented a year ago

Researcher

Hi Anton,

thank you for the update. I've just verified that the issue has been resolved in the new release and the XSS payload is not triggered anymore. Could you please confirm the report as resolved?

Thanks! Luca

lfama

commented a year ago

Researcher

Hi Anton,

any update?

Thanks! Luca

Anton Georgiev marked this as fixed in 2.4.0 with commit 62040b a year ago

The fix bounty has been dropped

This vulnerability will not receive a CVE

component.jsx#L1-L142 has been validated

to join this conversation